[JENKINS-76121] EC2 Plugin: Controller on EKS with Pod Identity fails to get regions

With a controller running as a pod on EKS under best practices of Pod Identity and IMDS hops limited to 1, the selection of "Use EC2 instance profile to obtain credentials?" hits an authorization failure when trying to fetch the region list from the IMDS endpoint. 

The current implimentation assumes if the EC2 Cloud node is to use EC2 instance profiles, then the controller must also have access. Which it may not.

It would be better to fetch the region list on the controller with implicit Java SDK credential discovery as Pod Identity should still work for that.

Workaround is to set the EKS cluster nodes metadata settings to allow 2 hops, though this is less secure. 

For those using [terraform-aws-modules/aws/eks|<a href="https://registry.terraform.io/modules/terraform-aws-modules/eks/aws/latest" class="external-link" target="_blank" rel="nofollow noopener">https://registry.terraform.io/modules/terraform-aws-modules/eks/aws/latest</a>], a recent change improved the default for ` 
http_put_response_hop_limit` to 1 from 2. Existing cluster with Jenkins controller pods deployed will break.

---
<details><summary>Originally reported by <img align="left" width="20" src="https://raw.githubusercontent.com/jenkinsci/artifacts-from-jira-issues/refs/heads/main/avatars/eightnoneone.png" title="eightnoneone's avatar" /> <a href="https://issues.jenkins.io/secure/ViewProfile.jspa?name=eightnoneone">eightnoneone</a>, imported from: <a class="original-jira-link" href="https://issues.jenkins.io/browse/JENKINS-76121" target="_blank">EC2 Plugin: Controller on EKS with Pod Identity fails to get regions</a></summary>
<ul>
<li>assignee: <a href="https://issues.jenkins.io/secure/ViewProfile.jspa?name=thoulen">thoulen</a>
<li>status: Open
<li>priority: Major
<li>component(s): ec2-plugin
<li>resolution: Unresolved
<li>votes: 0
<li>watchers: 1
<li>imported: 2025-12-06
</ul>
<details><summary>Raw content of original issue</summary>

<pre>
With a controller running as a pod on EKS under best practices of Pod Identity and IMDS hops limited to 1, the selection of "Use EC2 instance profile to obtain credentials?" hits an authorization failure when trying to fetch the region list from the IMDS endpoint. 

The current implimentation assumes if the EC2 Cloud node is to use EC2 instance profiles, then the controller must also have access. Which it may not.

It would be better to fetch the region list on the controller with implicit Java SDK credential discovery as Pod Identity should still work for that.

Workaround is to set the EKS cluster nodes metadata settings to allow 2 hops, though this is less secure. 

For those using [terraform-aws-modules/aws/eks|<a href="https://registry.terraform.io/modules/terraform-aws-modules/eks/aws/latest" class="external-link" target="_blank" rel="nofollow noopener">https://registry.terraform.io/modules/terraform-aws-modules/eks/aws/latest</a>], a recent change improved the default for `
http_put_response_hop_limit` to 1 from 2. Existing cluster with Jenkins controller pods deployed will break.</pre>
</details>
</details>
<details><summary>environment</summary>

```
Jenkins 2.504.3 
Amazon EC2 2032.v92a_4b_e703974
```
</details>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[JENKINS-76121] EC2 Plugin: Controller on EKS with Pod Identity fails to get regions #1978

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

[JENKINS-76121] EC2 Plugin: Controller on EKS with Pod Identity fails to get regions #1978

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions